RSA - Default settings threaten VOIP security, experts warn

VOIP gear from major vendors can be made secure, but it doesn't come out of the box that way, experts warned at RSA Conference 2007.

Default settings are the enemy that needs to be dealt with before turning up a VOIP system, according to David Endler, director of security research for TippingPoint, and Mark Collier, CTO of SecureLogix who presented their research on VOIP security at the conference. Both are members of the VOIP Security Alliance, an industry group trying to promote better VOIP security.

Leaving IP phone settings at default can lead to trouble because many phones have Web servers included that can let hackers see valuable information. If these servers have access to the Internet, then Google indexes them. Hackers then direct their browsers at the VOIP devices and probe for data including the address of the VOIP server it is associated with, according to Endler.

Some of these servers have packet-capture as a feature so a compromised phone could bug itself. "That would let you download conversations off the device," says Endler.

Vendors' default voicemail answering messages are unique, so calling the system and listening to the message can tell hackers what brand IP phone system is being used and they can tailor their reconnaissance and attacks accordingly. Phones with default passwords pose even more of a threat, he says.

The remedy is to disable the Web servers on phones, change passwords and record new voicemail greetings, Endler says.

Scans of firewalls can reveal open ports and tools available on the Internet can map those to likely protocols and even vendors' implementations of those protocols. VOIP-aware firewalls can close these ports efficiently so they are only open when they need to be to set up or carry calls, Collier says.

Some phones use the TFTP protocol to communicate with the VOIP server, and tools available on the Internet can help search for the names of configuration files that can contain passwords to telnet ports, for example, opening the phone to malicious manipulation, Endler says.

These phones may also support SNMP, leaving them vulnerable to giving up information that may be used to hack the network. Customers should disable SNMP or use a version of it that requires authentication, he says

If hackers get access to a SIP phone, they can insert rogue software into the call stream to insert content in conversations. So, for instance, such a man-in-the-middle attack might insert embarrassing background noise to make it sound like a business call was coming from a club or ballgame.

This type of attack could also drop calls, redirect them, inject words or phrases or create jitter to disrupt call quality.

The biggest threat to VOIP networks is internal because most corporate deployments connect employees at company sites, but not directly to the rest of the world, they say.

Most attacks that affect VOIP are still those directed at the network itself, not VOIP specifically, Collier says. The key is to make sure general network security is strong and to protect VOIP with added means such as putting calls on VLANs and implementing quality of service to VOIP gets priority regardless of how much traffic floods the network. "Denial of service is the worst threat to VOIP," he says.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.